INEC Nigeria Site Visitors Offered PDF_Viewer.EXE

INEC Nigeria Site Visitors Offered PDF_Viewer.EXE

According to the website of the Independent National Electoral Commission of Nigeria, they were formed in 1999 to “…among other things organize elections into various political offices in the country.”

Unfortunately, visiting their site currently results in a download prompt for an executable file. The 526kb file, PDF_Viewer.EXE, is only served once unless the visitor switches browser and / or IP and claims to be a PDF Viewer (amazingly enough).

PDF Viewer?

Here’s the iframe code from the site which pops the above download prompt:

Code

We’re still digging into what the file does, but users of Malwarebytes Anti-Malware will find we detect it as Trojan.Agent.DED. The site the file comes from does not have a great reputation [1], [2], [3].

As for the INEC website, it appears they may be running an outdated version of WordPress on an outdated Apache web server – not a great combination.

From doing a little rummaging around over at Archive.org, we can see that the code serving the EXE file wasn’t there on December 8th – which was the last time the Internet Archive crawled the site. Whoever put the file there did so very recently. The INEC homepage has a history of being compromised – here’s one from a few months back, focusing on the “bring back our girls” campaign via the defacement archive over at Zone-H.org:

Hacked

Readers are advised to be very careful until the owners of the website have fixed whatever needs fixing – we’ve notified them about the file download and they’ve thanked us for letting them know, so one would hope this will be resolved shortly.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.